Reduce, Reuse, Recycle — Except for Passwords

“Reduce, reuse, recycle” is the mantra of the green movement. In fact, that slogan is itself really just a recycling, as it were, of the old adage “waste not, want not.” It makes sense: Reducing waste, reusing items or recycling things that are no longer useful in their current form conserves both natural resources — which don’t have to be harvested or mined — and limited landfill space.

But are there things for which this thrifty mindset doesn’t work? Yes — passwords.

While reducing, reusing and recycling passwords across multiple sites makes them a lot easier to keep up with, it also makes accounts a lot easier to hack. In fact, it reduces your overall security to the level of the most insecure system the password is used on, since a breach on one site effectively rends all the others using the same credentials vulnerable as well.

This means that if an attacker steals your password for a site on which you have no sensitive information stored and, as a result, security was an afterthought both for you and the site administrators, that attacker also has the key to potentially unlock all the other sites you use, including the ones where your most valuable data is stored. If that data happens to be credit card numbers, identity information or corporate secrets, things could get very bad in a hurry.

The Danger Is Real

Ransom demand screenshotStill not convinced of the risk? Consider the recent Find My iPhone incident. Some Australian iCloud users found themselves locked out of their smart phones, tablets and computers; hacked equipment displayed a message demanding a ransom in order to unlock the device.

Apparently, the breach resulted from — you guessed it — reuse of passwords across multiple sites. Apple responded by advising affected users to “change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services.”

This is good advice even if you haven’t been hacked. In fact, it’s even better advice to use before you are hacked to prevent damage in the first place.

Lock Down Passwords with SSO

So how can you maintain passwords that are:

  • Unique for each system;
  • Hard to guess (which usually makes them hard to remember); and
  • Changed frequently?

Either develop a superpower to remember random details or use a single sign-on (SSO) tool to manage all the minutiae. Since the latter is easier to acquire than the former, I’d opt for that alternative. The SSO tool can reduce the password problem to a manageable size by giving you a single master key to unlock the vault of unique passwords it has generated for you for each site and not reuse or recycle existing credentials. This approach contains the damage of a breach on one system to only that system and prevents the sort of cascading failure that presumably was at the source of all the locked iPhones.

If you’re concerned that the SSO tool could be hacked, then use two-factor authentication to lock it down so that an attacker would have to not only steal your master password, but also your security token, mobile phone or fingerprint as well. While not impossible, it certainly makes things more difficult for the bad guys, and that’s the goal.

Also, don’t overlook the fact that this may be the only security enhancement you will ever implement that will actually improve the accessibility and usability of your system, since the SSO tool will not only manage all your unique, random, constantly changing passwords, it will actually type them in for you automatically so typos during log-on become a thing of the past.

Share this Article:
Jeff Crume

Distinguished Engineer & IT Security Architect, IBM

Jeff Crume is an IBM Distinguished Engineer and IT Security Architect with 29 years experience in the IT industry. He is the author of a book entitled “Inside Internet Security: What Hackers Don’t Want You To Know” and has written articles on cryptography, virtual private networking and identity management. He holds Certified Information Systems Security Professional and Information Systems Security Architecture Professional security industry certifications as well as Distinguished Chief IT Architect credentials from The Open Group. Jeff lived in Beijing on assignment in 2006 where he helped architect secure infrastructures for clients in the Greater China geography. He is a member of the IBM Academy of Technology and an IBM Master Inventor. He serves on the NC State University Computer Science Strategic Advisory Board, the “Information Management & Computer Security” research journal editorial board and has worked with clients in 40 countries across 6 continents. ;; You can read more on Jeff's personal blog at InsideInternetSecurity.com